Home Directory Plugins Operating Systems Windows Active Directory (AD) Check

Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

Directory Tree

Active Directory (AD) Check

Rating
27 votes
Favoured:
10
Current Version
3.3-20160630
Last Release Date
2016-06-30
Compatible With
  • Nagios 3.x
Hits
202500
Files:
FileDescription
Check_AD.vbsOriginal Script
check_active_directory.vbsGerman edition by J.V.
check_ad.vbsLatest version. Merged all changes, fixes and enhancements into this edition
check_ad.txtDaniel Esteves has made some changes
check_ad.txtPhil Randal has made some changes
check_ad_french.vbs.txtFrench version by Alexandre Rigaud
check_ad_french.vbs.txtUpdated version by Alexandre Rigaud
Network Monitoring Software - Download Nagios XI
Log Management Software - Nagios Log Server - Download
Netflow Analysis Software - Nagios Network Analyzer - Download
Wrapper for dcdiag.exe for Active Directory monitoring written in VBS.

This is a re-work of a script originally found here: http://felipeferreira.net/?p=315&cpage=1#comments

Only tested with Nagios 3.2.3. It should work on any version which supports reporting back via NRPE etc. Let me know how it works for you and I'll update the listing.

Works on English windows and should / could work on German, French and Spanish (Your milage may vary)
Usage: (with or without //nologo)
cscript Check_AD.vbs //nologo
cscript Check_AD.vbs //nologo /test:advertising
cscript Check_AD.vbs /test:ridmanager,services,fsmocheck

Output examples: (If one or more tests fail, CRITICAL is used as I have no idea which of these should be WARNING vs. CRITICAL. I'm assuming any failure is bad. Very bad)

Sample outputs:
OK - ridmanager: OK. services: OK. fsmocheck: OK.

CRITICAL - ridmanager: OK. services: CRITICAL. fsmocheck: OK.

CRITICAL - services: OK. replications: OK. advertising: OK. fsmocheck: OK. ridmanager: OK. machineaccount: OK. CheckSDRefDom: OK. CheckSecurityError: OK. CheckSDRefDom: OK. CrossRefValidation: OK. CutoffServers: OK. FrsEvent: CRITICAL. DFSREvent: OK. SysVolCheck: OK. LocatorCheck: OK. Intersite: OK. KccEvent: OK. KnowsOfRoleHolders: OK. NetLogons: OK. ObjectsReplicated: OK. OutboundSecureChannels: OK. Topology: OK. VerifyReferences: OK. VerifyReplicas: OK. NCSecDesc: OK.


Use dcdiag.exe /? to find out what checks YOUR version of Windows/dcdiag supports. 5 default checks are hardcoded within the script if no /test parameter is used. I don't claim they all work on all version of windows.

Email me at the address within the script for bug fixes etc. Tested on W2K8 x86 and W2K3 x64 using NSClient++ 0.3.8.75 2010-05-27 and the NRPE module.


Enjoy!


Update: check_active_directory should work on German Windows thanks to the work by Jonathan Vogt.

Update #2: Jonathan Vogt has updated his version to autodetect the Windows language, English or German, and run accordingly.

Update #3: I've merged JV's edition and added support for multipartition checks. I've left the old vbscripts in case of issues.

Update #4: Forgot to turn off verbose logging. Fixed.

Update #5: Daniel Esteves: "Fixed a problem alert for failed status and support for DNS test parameters". Download check_ad.txt file for DE's Version.

Update #6: Phil Randal: Fix multiline parsing. Added connectivity, sysvol, and kccevent tests and "dns /dnsbasic" check on 2008 and later. Tested on Windows 2003, 2008 R2, and 2012 R2 DCs

Update #7: Alexandre Rigaud added support for French OS.

Update #8: Alexandre Rigaud added support for initial Spanish OS ++

Thanks goes to those who provide updates and feedback.


JJ
Reviews (24)
When running the VB script, dcdiag /test:fsmocheck on long domain name, the vbscript get the result "passed test FsmoCheck" on multiple lines, and the script is getting a false error. For example:

Running enterprise tests on : verylong.sub.topdomaine.com
------------------------------------
Starting test: FsmoCheck
......................... verylong.sub.topdomaine.com passed test
FsmoCheck
------------------------------------
The FsmoCheck appears on the line after "passed test".
The fix when a line end with "passed test", then add the next line at the end if this line.
The code fix is available at:
https://github.com/mst-amour/nagios/blob/main/check_ad.vbs

Here is the updated function to update:
--------------------------------
'call dcdiag and parse the output
sub exec(strCmd)
'Declare variables
dim objShell : Set objShell = WScript.CreateObject("WScript.Shell")
dim objExecObject, lineout, tmpline, tmpline_no_cr_lf, end_passed_str, tmpline_next
lineout = ""
'Command line options we're using
' pt strCmd

Set objExecObject = objShell.Exec(strCmd)

'Loop until end of output from dcdiag
do While not objExecObject.StdOut.AtEndOfStream
tmpline = lcase(objExecObject.StdOut.ReadLine())

tmpline_no_cr_lf = Replace(tmpline,chr(10),"") ' Newline
tmpline_no_cr_lf = Replace(tmpline,chr(13),"") ' CR

call parselang(tmpline_no_cr_lf)
lineout = lineout + tmpline
if (instr(tmpline_no_cr_lf, ".....")) then
'testresults start with a couple of dots, so lets reset the lineout buffer
lineout= tmpline

if (len(tmpline_no_cr_lf) > 13) then
end_passed_str = Mid(tmpline_no_cr_lf, Len(tmpline_no_cr_lf) - 10, 11)

if(StrComp(end_passed_str, "passed test") = 0) then
tmpline_next = lcase(objExecObject.StdOut.ReadLine())
tmpline_next = Replace(tmpline_next,chr(10),"") ' Newline
tmpline_next = Replace(tmpline_next,chr(13),"") ' CR

tmpline_no_cr_lf = tmpline_no_cr_lf + tmpline_next
end if

end if
end if

if instr(tmpline_no_cr_lf, lcase(strOK)) then
'we have a strOK String which means we have reached the end of a result output (maybe on newline)
call parse(tmpline_no_cr_lf)
lineout = ""
end if
loop
' Catch the very last test (may be in the lineout buffer but not yet processed)
if instr(lineout, lcase(strOK) & " test") OR instr(lineout, lcase(strNotOK) & " test") then
'we have a strOK String which means we have reached the end of a result output (maybe on newline)
call parse(lineout)
end if
end sub
bynikola.uvalic, January 19, 2022
1 of 2 people found this review helpful
https://github.com/TheInfectedFetus/nagios-plugins/blob/patch-1/check_ad.vbs

This should solve the fsmo false positive for long domain names
tested on server 2019
I use this check but I have problem with operating system in Italian. I add a modify on the script and it's work on Italian too. Could I send the new version?
Bye
Franco
Hi!
Thanks for the script. I am getting the error with FSMO check

C:Program FilesNSClient++scripts>cscript.exe //NoLogo check_ad.vbs
CRITICAL - services: OK. replications: OK. advertising: OK. fsmocheck: CRITICAL. ridmanager: OK. machineaccount: OK.

If I run dcdiag /test:fsmocheck then my test is passed.
Any tip to fix this?
Thanks
Hi all,
we tested the bug-Fix from itnate but the error with the missing ridmanager still occures.

Could you please provide anothjer solution?

Thanks in advance.
byitNate, July 5, 2018
The script was flawless for DCs from 2003 to 2016. However I also have a Read Only 2012 R2 DC and the DCDiag does not check or output RIDManger. So I made a slight modification to line 237:
'Set default status for each named test
for loop1 = 0 to (ubound(name)-1)
status(loop1) = "CRITICAL"
lock(loop1) = FALSE
cmd = cmd & "/test:" & name(loop1) & " "
next

'Set default status for each named test
for loop1 = 0 to (ubound(name)-1)
status(loop1) = "Not Checked"
lock(loop1) = FALSE
cmd = cmd & "/test:" & name(loop1) & " "
next

This will allow the check to return OK if the keyword of the check is not found. However labeling that check as "Not Checked" in the service text.
https://github.com/arigaud/nagios-plugins/blob/master/check_ad.vbs
Hello,
tirst of all thank you for your job, this script is perfect to check every domain controller in our network
There is only one small problem with ReadOnly Domain COntrolelrs, because the test RidManager should be skipped in this case. Dcdiag does not output anything for the test RidManager when is executed on a RDOC, so the script should detect this condition and skip the test.
Thanks
Best regards
Luca
In response to:
I have the same problem than Jeremy B, dcdiag result is on 2 line instead of 1 and I have a critical error for fsmo check.

Change the default values for the English language (unless you want to test other languages):

'Lang dependend. Default is english
dim strOK : strOK = "?????? ???????? "
dim strNotOK : strNotOk = "?? ?????? ???????? "

The only remark, these values must be saved in the editor encoded OEM 866 and then we obtain the following:

'Lang dependend. Default is english
dim strOK : strOK = "??®©¤?­ ??®???? "
dim strNotOK : strNotOk = "­? ??®©¤?­ ??®???? "

In the end is required to type in a space, otherwise in the case of a long domain name ( in my case it’s 16 characters) will occur a line break and FsmoCheck will process incorrectly.
More exactly works correctly, but will process the result of incorrect.
This is clearly evident when you start c verbose = 1 and uncomment fields (remove in front quotes):
‘pt "lineout buffer '" & lineout & "'"
‘pt "lineout buffer appended '" & lineout & "'"
I can see what the script does when I run it manually, however when executed by nagios is it supposed to show more than OK space and a dash? I would think since the script spits out the status of each item being checked it would show those results in the Status Information. How I'm configured:

In NSClient.ini under external scripts:
actived=cscript.exe //T:30 //NoLogo scripts\\check_ad.vbs $ARG1

In commands.cfg:

define command{
command_name check_nrpe
command_line /usr/local/nagios/libexec/check_nrpe -H $HOSTADDRESS$ -c $ARG1$
}


in windows.cfg:

define service{
use generic-service
host homeserver
service_description AD
check_command check_nrpe!actived
}

Thoughts?
byBarosch, November 26, 2015
First of all...thank you for this nice script.
But I have a small problem.

Running the script from the cli works fine:
cscript //nologo .check_ad.vbs
OK - services: OK. replications: OK. advertising: OK. fsmocheck: OK. ridmanager: OK. machineaccount: OK.

But when i execute the script with "nscp test" the output is cropped
D ext-script Command line: cscript.exe //T:30 //NoLogo scripts\lib\wrapper.vbs check_ad.vbs
L cli OK: OK -

NSClient++ Version is 0.4.3.143

Can you help me with this problem?
Thank you in advance.
Hi, i have my domain controllers running on Windows Server 2012 in spanish versión, and not found, the check status is "unknown", somebody can help me please?

Thanks,
byBassDudu, April 17, 2014
Hi,

I tried to figure out how to use the script in french version for Windows server 2012 but nothing works.

I changed the variables in french which are "réussi" when it's ok and "échoué" when it failed. But I'm not sure...
When I use dcdiag, all is ok and with the plugin all is critical.

Thank you
Owner's reply

Note that é may look the same on screen, but a string compare may fail due to different codepages.

Always validate script works when running from a command prompt before running via Nagios.

it doesn't work on windows 2008 r2 x64 domain controller because it require elevation.
it is a way to fix the code to make it work?
Thanks
Owner's reply

Works fine for me when running under Nagios on Windows 2008, Windows 2008 R2, Windows 2012 and 2012 R2.

When testing running from a command prompt, yes, run with elevated rights.

byGuiona, March 1, 2014
doesn't work on French system with accented characters but I have solve this problem and add /help arguments.
You can found the code on https://github.com/Guiona/NagiosPlugins/blob/master/check_ad.vbs
byVitalyZ, January 14, 2014
Hi i'm having a hard time setting up check_ad on my nagios server returns an error on nagios return code of 127 is out of bounds - plugin may be missing in nagios i get a no handler for commmand. Please help.

This is what I've done so far
on the host:
In nsclient-full.ini I enabled external scripts allowed agruments and nasty characters
and added

[/settings/external scripts/scripts]
command[check_activedir]=cscript "C:\Program Files\NSClient++\scripts\Check_AD.vbs" //nologo /test:$ARG1$
also tried
[NRPE Handlers]
command[check_activedir]=cscript "C:\Program Files\NSClient++\scripts\Check_AD.vbs" //nologo /test:$ARG1$

on nagios server
in the commands.cfg added
define command{
command_name check_nrpe
command_line $users1$/checknrpe -H $HOSTNAME$ -c check_activedir -t TIMEOUT -a Replications }

in the machine settings file in nagios
define service {
use generic-service
hostgroup phx-dc
service_description active directory health
check_command Check_nrpe!check_activedir}

plug-in
http://exchange.nagios.org/directory/Plugins/Operating-Systems/Windows/Active-Directory-(AD)-Check/details

email me @ vitaly-23@yahoo.com (remove - between name and number) thank you
Script works fine most of the time but sometimes exits with error code -1073741819
Resulting in an unknown state for Nagios
Anyone got any suggestions for this ?

I don't seem to be the only person running in to this problem
http://www.nsclient.org/nscp/ticket/602
Owner's reply

Check if error is caused by a specific test and add some more checks/debug information to see what causes the error (what line in the vbs file)

Hi,

I have the same problem than Jeremy B, dcdiag result is on 2 line instead of 1 and I have a critical error for fsmo check.

how can I fix that ?

Thanks
byleinad, April 3, 2013
...as it should!

Thanks a lot!
Works like a charm on Windows Server 2012
Page 1 of 2